Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής &...
Transcript of Θέματα ασφάλειας της πληροφορίας | Γιώργος Πατσής &...
Εκπαιδευτικό πρόγραμμα
Ψηφιακό μάρκετινγκ & κοινωνικά δίκτυα
Θέματα ασφάλειας της πληροφορίας________________________________
Γιώργος Πατσής - CEO
Αλέξης Δημητριάδης – IS Penetration Tester
Obrela Security Industries
The Economics of Information Security
Information SecurityWhat, Why and How
What?
Be in a secure state – free from dangers
Protection of Information Assets against adversaries, intentionalor otherwise
Integrity, Availability, Confidentiality
Information Assets
Hardware and Software
Systems, Networks
Applications
Data Centers
People
Information Containers
Environment The velocity of change in Information Technology. Evolution Introduces
Complexity. Cloud, mobility, new payment and commerce models increasesecurity threats.
New World Order and Globalization provides a broader attack surface. 2.8 billionpeople and over 10 billion Internet-enabled devices access the Internet. Thegrowing adoption of the Internet provides increasing opportunities to commitcrime facilitated, enabled or amplified by the Internet.
Increased Cybercrime sophistication and commercialization. A service-basedcriminal business model drives innovation and provides access to a wide rangeof services facilitating cybercrime. The criminal industry costs global economiesan estimated USD 300+ billion per year.
Inadequate legislation. In many jurisdictions outside the EU there are,however, no adequate legal frameworks in place for judicial cooperation.Even within the EU the differences in legislation and legal instruments todetect, attribute and exchange information in relation to cybercrimes causesignificant impediments.
Threats
Hackers
Hacktivism
Industrial Espionage
Competitive Intelligence
Disgruntled Employees
Acts of God
Human Error
Crime Areas
CRIME AS A SERVICE
Infrastructure-as-a-Service
Data-as-a-Service Pay-per-install Services Hacking-as-a-Service Translation Services Money-Laundering-as-a-
Service
MALWARE
Trojans
Criminal Botnets
Crime Areas
CREDIT CARD FRAUD
Skimming
POS Fraud
ATM Fraud
CNP Fraud
ONLINE FRAUD
Bank Transfers withfake IDs
Paypal
Virtual Currencies
On-Line Gambling
Money Mules
Crime Areas
SOCIAL ENGINEERING
SPAM (80B Messages)
Phishing
DATA BREACHES Web Application Attacks Cyber Espionage Crimeware (malware/trojans) Physical Loss/Theft Card Skimmers DOS Attacks APTs (average time attacker
remained on a compromisednetwork – 229 days)
Crime Areas
CRITICAL INFRASTRUCTURE
Cross SectorDependencies
Cascade Effects
Why
Information is the most valuable asset
A fundamental quality vector
The market asks for it (consumer, corporate, government)
Liability – Obligation under law (not a nice to have)
Money…
How
Information Security is not about Technology
Everyone is involved and responsible
A key management issue
Risk Management applies
How
Key Elements
Process
Pie Chart ColumnChart
Technology
People
How
People
AwarenessTrainingCulture
How: Process
Governance
Preventive MaintenanceOperational SecurityPolicy and StandardsBusiness Continuity
Risk Management
AssessMitigateAcceptTransfer
How
Technology
Data Security (Encryption, DLP, Availability)Network Security (Firewalls, IDS, IPS)Systems Security (Antimalware)Application Security (WAF)End User Security (Access Control, Authentication)
Requires know-how and resourcesMust be constantly maintained and monitored
Risk ManagementIdentify, Evaluate and Manage the Risks
Identify
Business
Marketing
Technology
Financial
Legal
Assess
Likelihood x Impact
Qualitative vs. Quantitative
Listen to the experts
Know your business
Do it regularly
Mitigate
Preventive Controls
Define PolicyBuild Security ControlsAssess EffectivenessContinuously Improve
Reactive Controls
MonitorReact
Manage
Not all risks require mitigation/remediation
Information security must be strategic
Information security strategy must be aligned with Business
Risk is unique to your business and environment there is noone-size-fits all solution
Risks changes as your business environment changes
You are in trouble if you ignore risks or assuming they don’texist
Take informed decisions
For the Chief xxx OfficersNeed to know(s)
Due Care
Provides a framework that helps to define a minimum standardof protection that business stakeholders must attempt toachieve
Often reference Prudent Man Rule and require that theorganization engage in business practices that a prudent, rightthinking, person would consider to be appropriate.
Business that are found to have not applied this minimum dutyof care can be deemed as having been negligent in carrying outtheir duties
Due Diligence
Requires that an organization continually scrutinize their ownpractices to ensure that they are always meeting or exceedingthe requirements for protection of assets and stakeholders
Due diligence is the management of due care: it follows aformal process
Persons are said to have exercised due diligence, andtherefore cannot be considered negligent, if they were prudentin their investigation of potential risk and threats
The Market
Professional Services
Technology Vendors
Security Service Providers
Technology Integrators
Buy Vs. Build
Outsource▪ Low Initial Investment and
No Assets (zero CAPEX)▪ Specialized and subject
matter expert partner withINFOSEC as core business
▪ Strong SLA with Liabilities& Warranties
▪ Low OPEX▪ Flexibility
Insource▪ Keep Control▪ Requires Initial Investment▪ Acquire Know How▪ High Turnover▪ High OPEX▪ Lack of Focus▪ Dependency on Vendors
Compliance and Legislation
Industries and Sectors
TelecommunicationsHealthBanking and FinanceElectronic CrimeInsuranceGovernment
Regulations
Sarbanes-Oxley Act (SOX)HIPAAFISMAData Protection ActBasel IIPCI DSS - Payment CardIndustry Data SecurityStandard
Standards
ISO 27002:2005 (BSI)COBITITILPCI-DSSNISTENISA
Your Security Officer
Must have experience in Information Security Management
Must have excellent communication and project managementskills
Must have a crystal clear background check
Must have verifiable references
Remember he will hold the keys…
When things go wrong
Call the experts as soon as possible
Size the exposure and liability
Understand the consequences before you decide actions
Engage the business stakeholders
If you decide to go public you need to decide thecommunication strategy
Inform the authorities
For the End UsersTips & Tricks, from a ‘white-hacking’ perspective
Security awareness & culture
Alertness, observation and attentiveness are essential skillsthat play a key role in ‘anomaly detection’
• Such anomalies can occur as: a fake web site (phishing attacks), amalicious email (client-side approaches), a corrupted computer(malwares), etc.
Reporting and escalating such anomalies is a determinativereaction
• It’s always better to report a ‘false positive’ incident than suppress a ‘falsenegative’ one.
Raising the bar - The Human factor
Respecting the company’s Security Policy
• The human factor influence noticeably the Security Level that is put inplace by the automated mechanisms, controls and procedures.
• Users’ feedback is crucial for further improvements on new or existingblocking points
Social engineering attacks - Be prepared !
• Most attacks -and APTs- are nowadays mostly performed through ‘client-side approaches’ (emails, calls, physical presence, etc.)
Raising the bar - Marketing tools
Marketing tools (web site, social media, etc.) represent a publicand exposed entity that directly affects the company’s image;their administration requires extra ‘attention’
• System sphere: work vs personal computer, laptops vs smartphones,external sources
• Network sphere: untrusted networks (LANs, WIFIs)
• Password management & policy: complexity, history, pattern, modificationperiod, etc.
Raising the bar - Continuous training
The Information Technology field is constantly and rapidlyinvolving
Being up-to-date on the respective Security Aspects is a keyelement for people that manage important and exposedInformation Assets
• This process can be fulfilled through different means such aspresentations, seminars, conferences, certifications and so on
Global ViewIntelligence
AlertingandNotification
Global Investigations
Data Centers
Call Centers
Global Perspective
Thank you for your attention
Alexis DimitriadisIS Penetration Tester - Security LabsObrela Security Industries
Phone: 210 9573750 (ext. 20)E-mail: [email protected] site: www.obrela.com
George PatsisCEOObrela Security Industries
Phone: 6944671244E-mail: [email protected] site: www.obrela.com
Εκπαιδευτικό πρόγραμμα
Ψηφιακό μάρκετινγκ & κοινωνικά δίκτυα
digima.grwww.kek.aueb.gr
Follow DigiMa on
Facebook | Instagram | Slideshare | Google+ | LinkedIn